It was always just a matter of time until malware writers started targeting Macs. Until suddenly, time was up–much sooner than expected.
The Flashback Trojan that infected 700,000 Macs at its peak earlier this month represents a rude awakening for Apple users who long believed their computers to be immune from the kind of malicious software that infects PCs. Security researchers know that Macs are no better protected from cybercriminals’ attacks than Windows machines. But for years, it was believed that Apple’s low market share would protect it from online evildoers. Why waste time coding a virus for Apple’s tiny sliver of users when a much vaster sea of vulnerable Windows machines was waiting to be infected and hijacked for click fraud, denial of service attacks or credit card theft?
But fraudsters are shifting their focus to Macs nonetheless. In a Web conference with reporters Thursday morning, antivirus firm Kaspersky presented stats showing that instances of Apple malware have climbed steadily from practically none in 2003 to around 250 this month. (See chart at below.)
The causes of that shift have a little to do with Apple’s growing market share, says Adam J. O’Donnell, a security researcher with the firm Sourcefire. But they also have a lot to do with the security of Windows users.
Four years ago, O’Donnell wrote a paper for IEEE Security & Privacy (available in PDF here) that used game theory to predict exactly when malware writers would turn their focus to Apple’s Mac OSX. He assumed that non-Mac users run antivirus software, that Mac users don’t, and that antivirus software has an 80% success rate at detecting new variants of malware.
Then he wrote some simple equations. (Skip this paragraph if the word “equation” makes you cringe.) If v is the value derived from successfully attacking a target computer, and f is the market share of non-Apple computers, then cybercriminals would start hitting Macs when (1-.8)fv = (1-f)v, based on that 80% antivirus success rate. Solve for f, and you get 5/6.
In other words, Apple would have to reach more than 16% market share before it’s an appealing target for cybercrime. So why are Macs already being infected en masse with malware when they only have around 11% market share, by IDC’s last count?
It’s certainly not because cybercriminals are irrational, says O’Donnell. It’s because antivirus programs became more effective than he bargained for.
“I assumed that antivirus effectiveness rate was around 80%. But as that number goes up the market share where Macs become interesting targets goes down,” he says. “If we look at the limits, as antivirus effectiveness reaches 100% it becomes very interesting to attack Macs.”
In fact, antivirus does seem to be detecting malware at a significantly higher rate today than the 80% that O’Donnell factored in. According to a March test by antivirus auditor AV Comparatives, the best antivirus software detected 99.7% of malware variants in a test set of 300,000 samples, and the worst antivirus software, Microsoft’s free Internet Security Essentials, detected 93.1%. (In Microsoft’s defense, its program also had the least false positives of any tested.)
When I plug that least-optimistic 93% detection rate into O’Donnell’s equation instead of the 80% he assumed in 2008, I calculate that Apple would only need to have 6.5% market share before it started attracting cybercriminals’ attention. And given that’s a threshold Apple passed years ago, it’s no wonder fraudsters are experimenting with mass Mac attacks.
O’Donnell freely admits his model is oversimplified for clarity. It doesn’t take into account the cost of switching targets–malware authors would need to spend valuable time learning to code for a new operating system, for instance. And it completely leaves out targeted attacks and instead assumes that every computer is equally valuable to infect with malware. “Clearly there’s a much greater value for taking out a control system that tells Iranian centrifuges how to behave than for taking out Grandma’s PC,” O’Donnell admits.
O’Donnell’s notion that every non-Mac user runs antivirus and that every Mac user doesn’t is also a very rough assumption. But it’s backed up by a more general truth: Even beyond users’ lack of antivirus, Apple’s security posture has been less than vigilant in recent years. Long before the Flashback malware used a vulnerability in Java to invisibly infect users’ machines when they visited certain websites, Apple often fell weeks or months behind in patching known Java vulnerabilities for which Oracle had already released a fix. In Kaspersky’s Thursday morning research presentation, security researcher Vincente Diaz cited a Java patch in 2009 that Apple was 32 days late to implement and another in 2011 that it took an extra 20 days to fix. The vulnerability that led to the Flashback outbreak was left unpatched for a full 48 days after Oracle released its update.
For Apple users, all of this means that their days of innocent immunity are over. Even with just an 11% market share, Mac users need to tighten their security to the same paranoid levels as Windows users or risk becoming attractive targets for malware infection.
O’Donnell points out that the next release of OSX known as Mountain Lion will likely offer security measures similar to iOS that limit code that the user can install to approved applications. But until then, he recommends Mac users become more vigilante about their machines’ security, patching or disabling vulnerable programs and in some cases running antivirus. “If you keep up with all the news from the security world, you probably don’t have to worry,” he says. “But if it’s your parent’s Mac that you patch once a year when you go home for Christmas, you should probably run antivirus on it.”